November 2019 - Dev - lists.ceph.io

DocuBetter 13 Nov 2019

by John Zachary Dover

Hi everyone. The next DocuBetter meeting is scheduled for 13 Nov 2019 at 1730 UTC. Etherpad: https://pad.ceph.com/p/Ceph_Documentation Meeting: https://bluejeans.com/908675367 Agenda: This week Zac Dover, the new Ceph writer, will introduce himself. RST will be discussed. The Getting Started Guide will be discussed. Docs gaps and wishes will be discussed. Thanks, everyone. Zac Dover

4 years, 5 months

1
0
0 0

Re: Slow performing ceph-volume

by Sage Weil

On Wed, 13 Nov 2019, Paul Cuzner wrote: > Hi Sage, > > So I tried switching out the udev calls to pyudev, and shaved a whopping > 1sec from the timings..Looking deeper I found that the issue is related to > *ALL* process.Popen calls (of which there are many!) - they all use > close_fds=True. > > My suspicion is that when running in a container the close_fds sees fd's > from the host too - so it tries to tidy up more than it should. If you set > ulimit -n 1024 or something and then try a ceph-volume inventory, it should > just fly through! (at least it did for me) > > Let me know if this works for you. Yes.. that speeds of significantly! 1.5s -> .2s in my case. I can't say that I understand why, though... it seems like ulimit -n will make file open attempts fail, but I don't see any failures. Can we drop the close_fds arg? sage

4 years, 5 months

4
4
0 0

unblocking the py3 transition

by Sage Weil

Hi everyone, The transition to python3-only is blocked on three missing python packages in EPEL7: - python36-werkzeug: tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1545888 - python36-pecan: tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1766839 - python36-cherrypy: tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1765032 In order to get these into EPEL, they need to go into Fedora first, which has its own (slow) process. In the meantime, these packages are easy to build manually as one-offs (and may already have been built by David and sitting in a temporary repo). To unblock this, what if we require that temporary repo for centos7 *master* installs, and add it to the teuthology workers via ceph-cm-ansible? The assumption is that by the time we release octopus we will have gotten the dependencies in to the appropriate upstream repos. That means we have until March 2020... 4 months away. Thanks! sage

4 years, 5 months

8
13
0 0

mgr/ssh invocation of ceph-daemon

by Sage Weil

Right now the way ceph-daemon is used by the ssh orchestrator is designed to minimize the dependencies/setup complexity. The only requirements for a host to be added to the cluster are - python (2 or 3) - systemd - either podman or docker installed - the ceph cluster's pub key in /root/.ssh/authorized_keys No other software (including Ceph) needs to be installed. The mgr/ssh module invokes ceph-daemon on the remote host by running /usr/bin/python over ssh and piping the cluster's version of ceph-daemon to stdin. The downside to this approach is that some users might not like the idea of ceph having an ssh key with root access. For large clusters I'm not sure how much this really matters--if you pwn ceph you can delete TB to PB of data so do you really care if someone has root?--but for hyperconverged cases this might be a problem. One alternative might be to - create a ceph user on the node, and put the cluster's key in that user's authorized_keys - install a package that includes ceph-daemon (/usr/bin/ceph-damaen) - install an /etc/sudoers.d/ceph file that lets the ceph user 'sudo ceph-daemon ...' Cons: - This makes the bootstrap process slightly more complicated: (1) install package, (2) create user, (3) install ssh key (vs just #3). - The remote version of ceph-daemon can get out of sync with the cluster.. either stale and missing some feature, or even too new and not behaving the way the cluster expects. Pros: - This limits the attack surface area (if someone manages to get the cluster's ssh key) to the functions that ceph-daemon implements, vs full root. We could mitigate the 'keep ceph-daemon up to date' problem somewhat by implementing a 'ceph-daemon update' function that will apt/dnf/yum install ceph-daemon on the local host, so that the cluster could self-update the remote host. Or... we could skip the package entirely and install the ceph-daemon script in /home/ceph/ceph-daemon, and include an update function that updates the script in place. That is less complicated than knowing how to apt/dnf/yum install a package for all the random distros and repo location combinations (one of the biggest benefits of containers IMO). But it still requires some sort of process to keep ceph-daemon up to date. Maybe if we always pass an md5sum to ceph-daemon whenever we invoke it to assert that we are running the version we want, and if there is a mismatch, ceph-daemon bails out with a special exit code that triggers and update and retry? Anyway, what are people's thoughts here? How much more complicated are we interested or willing to make this to make people more comfortable with the idea that ceph owns an ssh key? sage

4 years, 5 months

6
9
0 0

subscribe

by Matt Benjamin

subscribe -- Matt Benjamin Red Hat, Inc. 315 West Huron Street, Suite 140A Ann Arbor, Michigan 48103 http://www.redhat.com/en/technologies/storage tel. 734-821-5101 fax. 734-769-8938 cel. 734-216-5309

4 years, 5 months

1
0
0 0

mimic 13.2.7 status

by Yuri Weinstein

Hello All PRs were tested and merged, mimic repo is locked and we will start QE validation soon. Thx YuriW

4 years, 5 months

3
5
0 0

rgw: coroutine stack protection

by Casey Bodley

Gal was able to track down some memory bugs with address sanitizer and identify them as overflows of the coroutine stack used by the beast frontend. Unlike pthread stacks, these heap-allocated coroutine stacks don't have any memory protection to catch these overflows. The boost::asio::spawn() [1] function that creates these coroutines does allow you to pass in coroutine attributes to control the stack size (which defaults to 128K), and we were able to increase that in testing and see the errors go away. But since these coroutines are how we expect the beast frontend to scale to thousands of connections, we really don't want to raise the stack size permanently and limit how many we can fit in memory. Unfortunately, the boost::coroutine library used by boost::asio doesn't give us any flexibility outside of the stack size, though the underlying boost::context library provides several different options for the stack allocation [2]. And despite boost::coroutine being long deprecated by boost::coroutine2, boost::asio has never removed its dependency on the former. The maintainer of these coroutine libraries even submitted a pull request against boost::asio in 2017 to use boost::context directly [3], allowing boost::asio::spawn() to use any of its stack allocators. My sense is that the asio maintainer is more interested in integration with the C++ Coroutines TS, rather than continuing to support these stackful coroutines that aren't part of the C++ Networking TS. I rebased this stale pull request and added some test coverage in https://github.com/cbodley/asio/commits/wip-spawn-context. Then, since spawn() is relatively independent from the rest of boost::asio, I forked that part into a new repo at https://github.com/cbodley/spawn. Using this fork, radosgw could continue using boost::asio as it is (and eventually the Networking TS), but call spawn::spawn() instead for direct control over the coroutine stack allocation. Of the available stack allocators, the segmented_stack looked promising; that would allow us to start with a small stack, and grow as more space was needed. However, this would require us to build our own boost as segmented stacks aren't enabled by default. It also doesn't help us control the total stack size used per connection. So the consensus is to use the protected_fixedsize allocator based on mmap/mprotect with the existing 128K limit. That way we can catch these stack overflows in testing, and treat the stack usage itself as bugs. Casey [1] https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/spawn.h… [2] https://www.boost.org/doc/libs/1_71_0/libs/context/doc/html/context/stack.h… [3] https://github.com/boostorg/asio/pull/55

4 years, 5 months

2
2
0 0

build on RHEL8

by kefu chai

hi folks, just want to share my findings regarding to building ceph on RHEL8 here. today, i was trying to build ceph on RHEL8. but it seems we are missing some build dependencies on this distro, because quite a few packages were removed from RHEL8 [0], and these packages are still missing EPEL8: No matching package to install: 'gperftools-devel >= 2.6.1' No matching package to install: 'leveldb-devel > 1.2' No matching package to install: 'libbabeltrace-devel' No matching package to install: 'liboath-devel' No matching package to install: 'python3-cherrypy' No matching package to install: 'python3-coverage' No matching package to install: 'python3-pecan' No matching package to install: 'python3-routes' No matching package to install: 'python3-tox' No matching package to install: 'xmlstarlet' i've added EPEL8 repo by following [1]. probably packages being added to EPEL8 in future will help to ease the pain. but at this moment, some unnecessary dependencies are just missing. cheers, --- [0] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/ht… [1] https://fedoraproject.org/wiki/EPEL -- Regards Kefu Chai

4 years, 5 months

2
3
0 0

Missing dependency while rebuilding SRPM on Centos7

by Bryan Stillwell

I'm attempting to rebuild the Nautilus 14.2.4 SRPM on CentOS 7 and there's one build dependency I'm not able to find: [bstillwell@build01 ~]$ rpmbuild --rebuild ceph-14.2.4-0.el7.src.rpm Installing ceph-14.2.4-0.el7.src.rpm warning: ceph-14.2.4-0.el7.src.rpm: Header V4 RSA/SHA256 Signature, key ID 460f3994: NOKEY warning: user jenkins-build does not exist - using root warning: group jenkins-build does not exist - using root warning: user jenkins-build does not exist - using root warning: group jenkins-build does not exist - using root error: Failed build dependencies: python3-Cython is needed by ceph-2:14.2.4-0.el7.x86_64 Could someone tell me where I can find the RPM for python3-Cython? It appears that Cython-0.19-5.el7 provides python2-Cython, but not the python3 version. Thanks, Bryan

4 years, 5 months

3
5
0 0

Re: RMDA Bug?

by Liu, Changcheng

Hi Williams, Besides usign same port(both publid and cluster network use RDMA) for RDMA messenger, I also tried to use public-network-TCP-messenger and cluster-network-RDMA-messenger. There's no serious problem happen. The ceph is built by self based on master commit 8cb1f6bd(Wed Nov 6 18:43:41 2019 -0500). I don't have too many nodes to check your problem. BTW, on "ceph-users Digest, Vol 82, Issue 27", there's below item: 2. Re: mgr daemons becoming unresponsive (Gregory Farnum) However, I haven't hit mgr problem in my side. B.R. Changcheng On 08:53 Mon 11 Nov, Mason-Williams, Gabryel (DLSLtd,RAL,LSCI) wrote: > @Changcheng > > Sorry for the late reply as well. > > I followed your setup and I have an issue where the MGR cannot connect > to the cluster and RDMA does not work, I believe the MGR is not > supported on RDMA. > > Thank you for your time but I believe we may be hitting a dead end with > this approach as we seem to get different results. > > Kind regards > > Gabryel Mason-Williams > __________________________________________________________________ > > From: Liu, Changcheng <changcheng.liu(a)intel.com> > Sent: 01 November 2019 06:24 > To: Mason-Williams, Gabryel (DLSLtd,RAL,LSCI) > <gabryel.mason-williams(a)diamond.ac.uk> > Cc: dev(a)ceph.io <dev(a)ceph.io> > Subject: Re: RMDA Bug? > > @Williams, > Sorry for late reply. I'm busy on working getting Ceph/RDMA > performance data these days. > I'm using Intel RDMA NIC with small cluster, there's no serious > issue > happened. > For Mellanox NIC, there's no problem with your ceph.conf from my > perspective. > Below is the steps that I used to deploy cluster > 1. server0: 172.16.1.4, /dev/nvme0n1, /dev/nvme1n1 > 2. server1: 172.16.1.2, /dev/nvme0n1, /dev/nvme1n1 > > Below is my deploy steps: > [admin@server0 deploy]$ ceph-deploy new server0 --fsid > 24280750-d4f7-4d4f-89e4-f95b8fab87ff > [admin@server0 deploy]$ #change ceph.conf as below: > [admin@server0 deploy]$ cat ceph.conf > [global] > cluster = ceph > fsid = 24280750-d4f7-4d4f-89e4-f95b8fab87ff > auth_cluster_required = cephx > auth_service_required = cephx > auth_client_required = cephx > > osd pool default size = 2 > osd pool default min size = 2 > osd pool default pg num = 64 > osd pool default pgp num = 128 > > osd pool default crush rule = 0 > osd crush chooseleaf type = 1 > > mon_allow_pool_delete=true > osd_pool_default_pg_autoscale_mode=on > > ms_type = async+rdma > ;----changcheng: change device to your dev name---------- > ms_async_rdma_device_name = irdma1 > ;----changcheng: ignore below parameters with Mellanox > NIC-------- > ;ms_async_rdma_support_srq = false > > mon_initial_members = server0 > mon_host = 172.16.1.4 > > [mon.rdmarhel0] > host = server0 > mon addr = 172.16.1.4 > [admin@server0 deploy]$ ceph-deploy mon create-initial > [admin@server0 deploy]$ ceph-deploy admin server0 server1 > [admin@server0 deploy]$ ceph-deploy mgr create server0 > [admin@server0 deploy]$ ceph-deploy osd create --data /dev/nvme0n1 > server0 > [admin@server0 deploy]$ ceph-deploy osd create --data /dev/nvme1n1 > server0 > [admin@server0 deploy]$ ceph-deploy osd create --data /dev/nvme0n1 > server1 > [admin@server0 deploy]$ ceph-deploy osd create --data /dev/nvme1n1 > server1 > B.R. > Changcheng > On 08:27 Thu 31 Oct, Mason-Williams, Gabryel (DLSLtd,RAL,LSCI) wrote: > > 1. When not defining a public and cluster network the OSD and MGR > > nodes do not get recognised > > > > sudo ceph -s > > > > cluster: > > > > id: 820f1573-bc4a-4ee0-b702-80ba5ac13c25 > > > > health: HEALTH_WARN > > > > 3 osds down > > > > 3 hosts (3 osds) down > > > > 1 root (3 osds) down > > > > no active mgr > > > > too few PGs per OSD (21 < min 30) > > > > > > services: > > > > mon: 3 daemons, quorum > > cs04r-sc-com99-05,cs04r-sc-com99-07,cs04r-sc-com99-08 (age 5m) > > > > mgr: no daemons active (since 4m) > > > > osd: 3 osds: 0 up (since 9m), 3 in (since 9m) > > > > > > data: > > > > pools: 1 pools, 64 pgs > > > > objects: 0 objects, 0 B > > > > usage: 3.0 GiB used, 114 GiB / 117 GiB avail > > > > pgs: 44 stale+active+clean > > > > 20 active+clean > > > > This is an issue within the ms_type being async+rdma as the > daemons are > > running: > > > > sudo systemctl status ceph-osd.target > > > > $B!|(B ceph-osd.target - ceph target allowing to start/stop all > > ceph-osd@.service instances at once > > > > Loaded: loaded (/usr/lib/systemd/system/ceph-osd.target; > enabled; > > vendor preset: enabled) > > > > Active: active since Thu 2019-10-31 08:13:42 GMT; 8min ago > > > > sudo systemctl status ceph-mgr.target > > > > $B!|(B ceph-mgr.target - ceph target allowing to start/stop all > > ceph-mgr@.service instances at once > > Loaded: loaded (/usr/lib/systemd/system/ceph-mgr.target; > enabled; > > vendor preset: enabled) > > Active: active since Thu 2019-10-31 08:13:33 GMT; 11min ago > > > > With the config being > > > > [global] > > > > fsid = 820f1573-bc4a-4ee0-b702-80ba5ac13c25 > > > > mon_initial_members = node1, node2, node3 > > > > mon_host = xxx.xx.xxx.aa,xxx.xx.xxx.ac, xxx.xx.xxx.ad > > > > auth_cluster_required = cephx > > > > auth_service_required = cephx > > > > auth_client_required = cephx > > > > ms_type = async+rdma > > > > ms_async_rdma_device_name = mlx4_0 > > > __________________________________________________________________ > > > > From: Liu, Changcheng <changcheng.liu(a)intel.com> > > Sent: 31 October 2019 01:09 > > To: Mason-Williams, Gabryel (DLSLtd,RAL,LSCI) > > <gabryel.mason-williams(a)diamond.ac.uk> > > Cc: dev(a)ceph.io <dev(a)ceph.io> > > Subject: Re: RMDA Bug? > > > > > 2) I'll confirm with my colleague that whether cluster network > is > > really used in 14.2.4. We also hit similar problem these days even > > using TCP async messenger. > > [Changcheng]: > > 1) The problem should be already sovled in 14.2.4. We hit the > problem > > in 14.2.1 > > 2) I'll try to verify your problem when I have time(I'm working on > > other > > affairs). There should be no problem when unifying both > public/cluster > > network with RDMA device. > > On 23:22 Wed 30 Oct, Liu, Changcheng wrote: > > > I'm working on master branch and deploy two nodes cluster. Data > is > > transferring over RDMA. > > > [admin@server0 ~]$ sudo ceph daemon osd.0 perf dump > > AsyncMessenger::RDMAWorker-1 > > > { > > > "AsyncMessenger::RDMAWorker-1": { > > > "tx_no_mem": 0, > > > "tx_parital_mem": 0, > > > "tx_failed_post": 0, > > > "tx_chunks": 26966, > > > "tx_bytes": 52789637, > > > "rx_chunks": 26916, > > > "rx_bytes": 52812278, > > > "pending_sent_conns": 0 > > > } > > > } > > > > > > The only difference is that I don$B!G(Bt differentiate > public/cluster > > network in my cluster. > > > You can try to make all public/cluster network use RDMA. > > > Note: > > > 1) If both public/cluster use RDMA, we can$B!G(Bt > differentiate them in > > different subnetwork. This is feature limited. I'm planning to > solve it > > in future) > > > 2) I'll confirm with my colleague that whether cluster network > is > > really used in 14.2.4. We also hit similar problem these days even > > using TCP async messenger. > > > > > > Below is my cluster's ceph configuration. > > > I also attach the systemd patch used in my side. > > > [admin@server0 ~]$ cat /etc/ceph/ceph.conf > > > [global] > > > cluster = ceph > > > fsid = 24280750-d4f7-4d4f-89e4-f95b8fab87ff > > > auth_cluster_required = cephx > > > auth_service_required = cephx > > > auth_client_required = cephx > > > > > > osd pool default size = 2 > > > osd pool default min size = 2 > > > osd pool default pg num = 64 > > > osd pool default pgp num = 128 > > > > > > osd pool default crush rule = 0 > > > osd crush chooseleaf type = 1 > > > > > > mon_allow_pool_delete=true > > > osd_pool_default_pg_autoscale_mode=off > > > > > > ms_type = async+rdma > > > ms_async_rdma_device_name = mlx5_0 > > > > > > mon_initial_members = server0 > > > mon_host = 172.16.1.4 > > > > > > [mon.rdmarhel0] > > > host = server0 > > > mon addr = 172.16.1.4 > > > [admin@server0 ~]$ > > > > > > B.R. > > > Changcheng > > > > > > On 13:07 Wed 30 Oct, Mason-Williams, Gabryel (DLSLtd,RAL,LSCI) > wrote: > > > > 1. The current problem is that it still sending data over > the > > ethernet > > > > instead of ib. > > > > 2. [global] > > > > fsid=xxxx > > > > mon_initial_members = node1, node2, node3 > > > > mon_host = xxx.xx.xxx.ab,xxx.xx.xxx.ac, xxx.xx.xxx.ad > > > > auth_cluster_required = cephx > > > > auth_service_required = cephx > > > > auth_client_required = cephx > > > > public_network = xxx.xx.xxx.0/24 > > > > cluster_network = xx.xxx.0.0/16 > > > > ms_cluster_type = async+rdma > > > > ms_type = async+rdma > > > > ms_public_type = async+posix > > > > [mgr] > > > > ms_type = async+posix > > > > 3. The ceph cluster is deployed using ceph-deploy then > once up > > all of > > > > the daemons are turned off the rdma cluster config is > then > > sent > > > > around then once that is complete the daemons are > turned > > back on. > > > > The ulimit is set to unlimited, LimitMEMLOCK=infinity > is set > > on the > > > > ceph-disk@.service, ceph-mds@.service, > ceph-mon@.service, > > > > ceph-osd@.service, ceph-radosgw@.service, aswell as > > > > PrivateDevices=no on ceph-mds@.service, > ceph-mon@.service > > and > > > > ceph-radosgw@.service. The ethernet mtu is set to 1000 > > > > > > __________________________________________________________________ > > > > > > > > From: Liu, Changcheng <changcheng.liu(a)intel.com> > > > > Sent: 30 October 2019 12:24 > > > > To: Mason-Williams, Gabryel (DLSLtd,RAL,LSCI) > > > > <gabryel.mason-williams(a)diamond.ac.uk> > > > > Cc: dev(a)ceph.io <dev(a)ceph.io> > > > > Subject: Re: RMDA Bug? > > > > > > > > 1. What's the problem do you hit when using RDMA in 14.2.4? > Any > > log > > > > shows the error? > > > > 2. What's your ceph.conf? > > > > 3. How do you deploy the ceph cluster? RDMA need lock some > > memory. So, > > > > it needs change some system configuration to meet with this > > > > requirement? > > > > On 11:21 Wed 30 Oct, Gabryel Mason-Williams wrote: > > > > > Liu, Changcheng wrote: > > > > > > On 07:31 Mon 28 Oct, Mason-Williams, Gabryel > > (DLSLtd,RAL,LSCI) > > > > wrote: > > > > > > > I am using ceph version 12.2.8 > > > > > > > (ae699615bac534ea496ee965ac6192cb7e0e07c0) > luminous > > (stable). > > > > > > > > > > > > > > I have not checked the master branch do you think > this > > is an > > > > issue in > > > > > > > luminous that has been removed in later versions? > > I > > > > haven't hit problem > > > > > > on master branch. Ceph/RDMA changed a lot > > > > > > from luminous to master branch. > > > > > > > > > > > > Is below configuration really needed in > > luminous/ceph.conf? > > > > > > > ms_async_rdma_local_gid = xxxx On master > > branch, > > > > this > > > > > > parameter is not needed at all. > > > > > > B.R. > > > > > > Changcheng > > > > > > > > > > > > > __________________________________________________________________ > > > > > > > > > > Thanks, the issue of the OSD's falling over seems to have > gone > > away > > > > updating to Nautilus 14.2.4. However, I am still unable to > get > > it to > > > > properly communicate over RDMA even with removing > > > > ms_async_rdma_local_gid. > > > > > _______________________________________________ > > > > > Dev mailing list -- dev(a)ceph.io > > > > > To unsubscribe send an email to dev-leave(a)ceph.io > > > > > > > > > > > > -- > > > > > > > > This e-mail and any attachments may contain confidential, > > copyright and > > > > or privileged material, and are for the use of the intended > > addressee > > > > only. If you are not the intended addressee or an > authorised > > recipient > > > > of the addressee please notify us of receipt by returning > the > > e-mail > > > > and do not use, copy, retain, distribute or disclose the > > information in > > > > or attached to the e-mail. > > > > Any opinions expressed within this e-mail are those of the > > individual > > > > and not necessarily of Diamond Light Source Ltd. > > > > Diamond Light Source Ltd. cannot guarantee that this e-mail > or > > any > > > > attachments are free from viruses and we cannot accept > liability > > for > > > > any damage which you may sustain as a result of software > viruses > > which > > > > may be transmitted in or with the message. > > > > Diamond Light Source Limited (company no. 4375679). > Registered > > in > > > > England and Wales with its registered office at Diamond > House, > > Harwell > > > > Science and Innovation Campus, Didcot, Oxfordshire, OX11 > 0DE, > > United > > > > Kingdom > > > > > > > _______________________________________________ > > > > Dev mailing list -- dev(a)ceph.io > > > > To unsubscribe send an email to dev-leave(a)ceph.io > > > > > > From 40fa0d7096364b410e8242c46967029fb949876a Mon Sep 17 > 00:00:00 > > 2001 > > > From: Changcheng Liu <changcheng.liu(a)aliyun.com> > > > Date: Tue, 23 Jul 2019 18:50:57 +0800 > > > Subject: [PATCH] rdma systemd: grant access to /dev and unlimit > mem > > > > > > Signed-off-by: Changcheng Liu <changcheng.liu(a)aliyun.com> > > > > > > diff --git a/systemd/ceph-fuse@.service.in > > b/systemd/ceph-fuse@.service.in > > > index d603042b12..ff2e9072f6 100644 > > > --- a/systemd/ceph-fuse@.service.in > > > +++ b/systemd/ceph-fuse@.service.in > > > @@ -12,6 +12,7 @@ ExecStart=/usr/bin/ceph-fuse -f --cluster > > ${CLUSTER} %I > > > LockPersonality=true > > > MemoryDenyWriteExecute=true > > > NoNewPrivileges=true > > > +LimitMEMLOCK=infinity > > > # ceph-fuse requires access to /dev fuse device > > > PrivateDevices=no > > > ProtectControlGroups=true > > > diff --git a/systemd/ceph-mds@.service.in > > b/systemd/ceph-mds@.service.in > > > index 39a2e63105..0e58dfeeea 100644 > > > --- a/systemd/ceph-mds@.service.in > > > +++ b/systemd/ceph-mds@.service.in > > > @@ -14,7 +14,8 @@ ExecReload=/bin/kill -HUP $MAINPID > > > LockPersonality=true > > > MemoryDenyWriteExecute=true > > > NoNewPrivileges=true > > > -PrivateDevices=yes > > > +LimitMEMLOCK=infinity > > > +PrivateDevices=no > > > ProtectControlGroups=true > > > ProtectHome=true > > > ProtectKernelModules=true > > > diff --git a/systemd/ceph-mgr@.service.in > > b/systemd/ceph-mgr@.service.in > > > index c98f6378b9..682c7ecef3 100644 > > > --- a/systemd/ceph-mgr@.service.in > > > +++ b/systemd/ceph-mgr@.service.in > > > @@ -18,7 +18,8 @@ LockPersonality=true > > > MemoryDenyWriteExecute=false > > > > > > NoNewPrivileges=true > > > -PrivateDevices=yes > > > +LimitMEMLOCK=infinity > > > +PrivateDevices=no > > > ProtectControlGroups=true > > > ProtectHome=true > > > ProtectKernelModules=true > > > diff --git a/systemd/ceph-mon@.service.in > > b/systemd/ceph-mon@.service.in > > > index c95fcabb26..51854fad96 100644 > > > --- a/systemd/ceph-mon@.service.in > > > +++ b/systemd/ceph-mon@.service.in > > > @@ -21,7 +21,8 @@ LockPersonality=true > > > MemoryDenyWriteExecute=true > > > # Need NewPrivileges via `sudo smartctl` > > > NoNewPrivileges=false > > > -PrivateDevices=yes > > > +LimitMEMLOCK=infinity > > > +PrivateDevices=no > > > ProtectControlGroups=true > > > ProtectHome=true > > > ProtectKernelModules=true > > > diff --git a/systemd/ceph-osd@.service.in > > b/systemd/ceph-osd@.service.in > > > index 1b5c9c82b8..06c20d7c83 100644 > > > --- a/systemd/ceph-osd@.service.in > > > +++ b/systemd/ceph-osd@.service.in > > > @@ -16,6 +16,8 @@ LockPersonality=true > > > MemoryDenyWriteExecute=true > > > # Need NewPrivileges via `sudo smartctl` > > > NoNewPrivileges=false > > > +LimitMEMLOCK=infinity > > > +PrivateDevices=no > > > ProtectControlGroups=true > > > ProtectHome=true > > > ProtectKernelModules=true > > > diff --git a/systemd/ceph-radosgw@.service.in > > b/systemd/ceph-radosgw@.service.in > > > index 7e3ddf6c04..fe1a6b9159 100644 > > > --- a/systemd/ceph-radosgw@.service.in > > > +++ b/systemd/ceph-radosgw@.service.in > > > @@ -13,7 +13,8 @@ ExecStart=/usr/bin/radosgw -f --cluster > ${CLUSTER} > > --name client.%i --setuser ce > > > LockPersonality=true > > > MemoryDenyWriteExecute=true > > > NoNewPrivileges=true > > > -PrivateDevices=yes > > > +LimitMEMLOCK=infinity > > > +PrivateDevices=no > > > ProtectControlGroups=true > > > ProtectHome=true > > > ProtectKernelModules=true > > > diff --git a/systemd/ceph-volume@.service > > b/systemd/ceph-volume@.service > > > index c21002cecb..e2d1f67b85 100644 > > > --- a/systemd/ceph-volume@.service > > > +++ b/systemd/ceph-volume@.service > > > @@ -9,6 +9,7 @@ KillMode=none > > > Environment=CEPH_VOLUME_TIMEOUT=10000 > > > ExecStart=/bin/sh -c 'timeout $CEPH_VOLUME_TIMEOUT > > /usr/sbin/ceph-volume-systemd %i' > > > TimeoutSec=0 > > > +LimitMEMLOCK=infinity > > > > > > [Install] > > > WantedBy=multi-user.target > > > -- > > > 2.17.1 > > > > > > _______________________________________________ > > > Dev mailing list -- dev(a)ceph.io > > > To unsubscribe send an email to dev-leave(a)ceph.io > > > > > > -- > > > > This e-mail and any attachments may contain confidential, > copyright and > > or privileged material, and are for the use of the intended > addressee > > only. If you are not the intended addressee or an authorised > recipient > > of the addressee please notify us of receipt by returning the > e-mail > > and do not use, copy, retain, distribute or disclose the > information in > > or attached to the e-mail. > > Any opinions expressed within this e-mail are those of the > individual > > and not necessarily of Diamond Light Source Ltd. > > Diamond Light Source Ltd. cannot guarantee that this e-mail or any > > attachments are free from viruses and we cannot accept liability > for > > any damage which you may sustain as a result of software viruses > which > > may be transmitted in or with the message. > > Diamond Light Source Limited (company no. 4375679). Registered in > > England and Wales with its registered office at Diamond House, > Harwell > > Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, > United > > Kingdom

4 years, 5 months

1
0
0 0

2024

2023

2022

2021

2020

2019

Dev November 2019